More Help Understanding MFA Implementation

[pjensen000]

Discussed in #3465

I'm exploring allauth for doing 2FA (switching over from django-allauth-2fa), but I've run into a snag with the implementation.

I absolutely need to force users to use 2FA. When this was previously discussed a year ago, the comment was that allauth does not know what the 2FA policy is, so it can't enforce 2FA (right away on sign-up, after some time period, optional, etc..). That's fine, but lets say I've decided the user needs 2FA based on my own policy, how do I tell allauth to sign them up without giving them logged in status?

It seems like the user has to be logged (authenticated) before they can access the accounts/2fa/ or accounts/2fa/totp/activate/ endpoints. I really need them to be at those endpoints before they are logged in (i.e., as part of the login flow) so they can set up 2fa for their account, without the possibility of them simply changing the URL and accessing the rest of the site.

I could put checks on every single endpoint in my site to prevent access if 2fa is not enabled, or maybe make some middleware that does that? It would be a nice feature if the allauth MFA Adapter had a "is_mfa_required(user)" function that could be overridden to require 2fa to log in, or allow the user to set it up as part of the login flow.

Am I missing something, or is making a custom middleware to redirect all requests to the accounts/2fa/... endpoints the "best" way to do this?

Thanks for your help with this!

Best Regards,
-Peter

[pjensen000]

I went ahead and implemented some middleware to force 2fa. I used some kludgy logic to detect if the user was visiting an allauth page: request.path.startswith('/accounts/'). Not sure if there is a better way to check that. This probably would be better if it were integrated into the login flow of allauth, with custom app logic handled in an adapter method override, but this gets the job done.

If anyone needs it, it looks like the code below. This forces all requests to redirect to the 2fa setup page, except requests that go to the allauth pages, so the user can still do the actual 2fa setup, or log out, etc..

The app specific reasons why 2fa might be required go in the "CUSTOM LOGIC HERE" section. This is where you can set custom per-user rules about 2fa... or where you could call a function like is_mfa_required(request.user)

from allauth.mfa.utils import is_mfa_enabled
from django.urls import reverse

class Require2FAMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        if request.user.is_authenticated and \
            (not request.path.startswith('/accounts/') or \
            reverse('login_success') == request.path) and \
            (<CUSTOM LOGIC HERE>):

           if not is_mfa_enabled(request.user):
               return redirect('mfa_index')

        response = self.get_response(request)
        return response